Big Orange Cloud Effective IAM Actions
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Use Bulma's textarea class is-warning.
Basic styling and layout. No mobile support.
Use Bulma?
Notify of any build/deploy failures.
Update expanded policies to respect NotAction in IAM policies
CodeCommit > GitHub integration for the lolz
boc-effective/pipeline.template
Lines 130 to 131 in b5d2e22
They aren't used.
This policy results in a report that includes ``, but it has no actions:
{
"Statement": [
{
"Action": [
"logs:*"
],
"Effect": "Allow",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [
"logs:*"
],
"Effect": "Deny",
"Resource": "arn:aws:logs:*:*:*"
},
{
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::*"
}
],
"Version": "2012-10-17"
}```There's interest.
Will create a milestone to track.
error.dataPath returned by ajv include a leading "." (which is right).
Currently, that's being jammed in the response that's displayed to the user, for example:
.Statement should NOT have fewer than 1 items
Maybe don't do that.
So that user doesn't need to download >200KB before seeing the website.
It should be easy to do the fetch; the biggest issue will be how this impacts testing, and how should the actions should be simulated in testing - should it just be loaded from local copy of policies.js?
Raised via email.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*AccessPoint"
],
"Resource": "*"
}
]
}
Policy allows 8 actions on *
s3:CreateAccessPoint
s3:DeleteAccessPoint
s3:DeleteAccessPointPolicy
s3:GetAccessPoint
s3:GetAccessPointPolicy
s3:GetAccessPointPolicyStatus
s3:ListAccessPoints
s3:PutAccessPointPolicy
Policy allows 3 actions on *
s3:CreateAccessPoint
s3:DeleteAccessPoint
s3:GetAccessPoint
Merge all actions (per resource?) and match against the full list of actions https://awspolicygen.s3.amazonaws.com/js/policies.js
Relevant IAM docs.
See the docs.
Convert policy to something (base64?) that is embeddable in query string parameters.
Add stage post-S3 deployment.
invalidate-cache:
aws cloudfront create-invalidation \
--distribution-id XXX \
--paths '/*
Not be an empty string.
It blocked π
From the console:
Fetching https://awspolicygen.s3.amazonaws.com/js/policies.js
boc-effective-site-bucket-cl1zushj3npr.s3-website-us-east-1.amazonaws.com/:1 Access to fetch at 'https://awspolicygen.s3.amazonaws.com/js/policies.js' from origin 'http://boc-effective-site-bucket-cl1zushj3npr.s3-website-us-east-1.amazonaws.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
And this is why you deploy ASAP π
Stop showing stale report.
As requested in AWS Developer Slack
This would be hard, as it would require requests to AWS with authorization, and the application is just a client-side application (on a different domain).
Fail on invalid versions.
Warn when not "2012-10-17"
Currently actions are stored in src/actions.json and updated via fetch.js.
Update in pipeline? Scheduled? See boc-jobs for an example.
Create a pipeline that does CI/CD for the website.
There's a solution, but it requires Lambda@Edge.
Install required dependencies as part of make install: cfn-lint, yamllint, etc
Just git hash is fine.
See this example in the Vue CLI docs.
Show report, hide instructions.
e.g. "Resource": "*"
This policy should ALLOW all actions:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "DenyAllUsersNotUsingMFA",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}}
},{
"Sid": "AllowIAM",
"Effect": "Allow",
"Action": "iam:*",
"Resource": "*"
}]
}https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html
Snapshot tests?
make test
From Security Slack:
Thanks for this @Rowan Udell ! If you do s3:G* does it work for you? Iβm getting items that donβt match that and I want to make sure Iβm not doing something unexpected
Identity-based policies
Sample policies https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html
Try the following policy to see the full list of AWS acionts - it's the AWS Administrator Access Managed Policy arn:aws:iam::aws:policy/AdministratorAccess:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}Something a little more real-world:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:get*",
"Resource": "*"
}
]
}For example:
"Policy {allows/does not} allow {COUNT} actions against resource {RESOURCE}"
Here's an example implementation.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.